Morgan Stanley experiences info breach after vendor Accellion hack

Image: Morgan Stanley

Financial commitment banking company Morgan Stanley has documented a data breach right after attackers stole particular data belonging to its consumers by hacking into the Accellion FTA server of a third-celebration seller.

Morgan Stanley is a foremost world wide monetary providers agency providing expense banking, securities, prosperity and investment management services all over the world.

The American multinational firm’s customers include businesses, governments, establishments, and persons in additional than 41 international locations.

Encrypted data files stolen jointly with decryption critical

Guidehouse, a third-get together vendor that gives account maintenance providers to Morgan Stanley’s StockPlan Link organization, notified the expense banking organization in May 2021 that attackers hacked its Accellion FTA server to steal data belonging to Morgan Stanley inventory system contributors.

The Guidehouse server was breached by exploiting an Accellion FTA vulnerability in January prior to the seller patched it in just 5 times of the fix getting to be available.

Guidehouse found the breach in March and the impression to Morgan Stanley buyers in Could, when it notified the fiscal expert services company of the incident and that no evidence was found of the stolen knowledge remaining disseminated on-line by the threat actors.

“There was no details protection breach of any Morgan Stanley programs,” Morgan Stanley reported in data breach notification letters sent to impacted people today.

“The incident involves files which were being in Guidehouse’s possession, which includes encrypted information from Morgan Stanley.”

Having said that, even nevertheless the stolen information ended up stored in encrypted variety on the compromised Guidehouse Accellion FTA server, the risk actors also attained the decryption crucial for the duration of the attack.

Morgan Stanley states that the paperwork stolen through this incident contained:

  • Stock strategy participants’ names
  • Addresses (past acknowledged deal with)
  • Dates of birth
  • Social security numbers
  • Company company names

The company additional that the documents stolen from Guidehouse’s FTA server did not comprise passwords info or qualifications that the risk actors could use to get entry to impacted Morgan Stanley customers’ economic accounts.

“The protection of shopper info is of the utmost significance and is a little something we just take pretty very seriously,” a Morgan Stanley spokesperson informed BleepingComputer. “We are in close contact with Guidehouse and are getting measures to mitigate potential challenges to clientele.”

Clop gang and FIN11 at the rear of collection of Accellion hacks

When the attackers’ identification was not disclosed in Morgan Stanley’s knowledge breach notification, a joint assertion posted by Accellion and Mandiant from February drop additional light-weight on the attacks, directly linking them to the FIN11 cybercrime group.

The Clop ransomware gang has also utilized an Accellion FTA zero-day vulnerability (disclosed in December 2020) to steal info from a number of companies.

Accellion has mentioned that around 300 buyers utilized the 20-12 months-old legacy FTA software, with a lot less than 100 of them currently being breached in these assaults.

Commencing in January, BleepingComputer has documented multiple facts breaches impacting providers and corporations right after their Accellion FTA servers ended up compromised, allowing for the cybercrime teams to exfiltrate delicate information and facts.

So far, these threat actors have hit strength big Shell, cybersecurity organization Qualys, the Reserve Financial institution of New Zealand, Singtel, supermarket large Kroger, the Workplace of the Washington Point out Auditor (“SAO”), the Australian Securities and Investments Fee (ASIC), and numerous universities and other businesses.

In February, Five Eyes users have also issued a joint protection advisory on these assaults and extortion tries.